In December 2018, the Inspector General of the Department of Defense (DoD) released a report on the recent audit of the U.S. Ballistic Missile Defense System (BMDS). This audit found that security protocols that should protect networks and systems containing technical information about the BMDS were not put in place. While the audit was performed on the Department of Defense’s own systems, DoD Contractors now have the chance to learn from the audit and take action to ensure their compliance with the Department’s cyber security mandates such as DFARS.
Lessons for DoD Contractors
DoD contractors can use the released report to learn what they may expect if the DoD decides to audit their company’s System Security Plans (SSP). While there is no guarantee that this audit will be similar to the audits performed on DoD Contractors’ systems, they can still use the audit to gain insight into the criteria the DoD uses to assess Security System Plans and work out how to improve security measures and avoid making the same mistakes as BMDS.
Objectives of the DoD’s Security Audit
The key objective of the DoD’s security audit was to determine whether DoD Components implemented security controls and processes at DoD facilities. These security controls should protect BMDS technical information from both internal and external cyber threats.
Findings of the DoD’s Security Audit
In the failed audit, the DoD found that officials did not consistently implement security controls and processes to protect technical information regarding the BMDS. Some network administrators had not put in place multifactor authentication to secure access to BDMS technical information. This increases the chance that an experienced hacker could break into the systems and steal important classified information.
Three of the five Components that the DoD audited did not identify and mitigate known network vulnerabilities. They also, in many cases, did not consistently verify the effectiveness of the security controls they had implemented. Without careful consideration of the security risks and the adequacy or inadequacy of the security controls in place to protect against them, BMDS has no way of knowing whether they have taken enough action to keep their data safe.
Some auditors found that physical security at DoD facilities was inadequate. For example, server racks that are not locked up can be compromised by workers or intruders. Similarly, some officials failed to adequately protect classified data that was stored on removable media, which can easily fall into the wrong hands.
In addition, DoD auditors discovered failures to encrypt BDMS data when it was being transmitted. Some audited organizations also failed to put in place systems to detect attacks on classified networks, which means they could be unaware of threats.
Recommendations of the DoD’s Security Audit
The DoD audit report had four main recommendations to keep data safe at DoD facilities:
- Use multifactor authentication
- Respond quickly to vulnerabilities
- Protect data on removable media
- Implement the ability to detect intrusions, both on computer networks and in physical facilities
Options for DoD Contractors that are Selected for Audit
DoD contractors that are selected for audit must meet the recommendations that the audit report outlines. Contractors can choose to put the responsibility for meeting these requirements onto their in-house IT department, or seek the help of a cyber security consultant who specializes in NIST SP 800-171.
To handle security in house, contractors will need to use the guidelines given in the Self Assessment Handbook – NIST Handbook 162. The National Institute of Standards and Technology (NIST) created this handbook to help DoD contractors comply with all SP 800-171 security requirements. While this handbook is very useful, many contractors still find it difficult to handle all their security needs in house.
For many DoD contractors, working with a third-party Managed Security Service Provider (MSSP) is a better option than trying to handle DFARS compliance in house. Consultants who specialize in DFARS NIST SP 800-171 compliance know exactly how to meet the requirements and are therefore less likely than in-house employees to overlook security holes or make mistakes in the development and implementation of security protocols.
MSSPs can provide the following services to help DoD contractors become compliant:
- Security Assessment: Audit the DoD contractor’s current system against NIST SP 800-171
- System Security Plan: Develop a compliant System Security Plan (SSP) and Plan of Action and Milestones (POAM)
- Remediate: Implement items called out in the POAM
- Compliance Monitoring and Maintenance: Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain compliant.
For more information, please see our complete Guide to DFARS Compliance developed specifically for DoD Contractors.
Importance of Compliance for DoD Contractors
With the DoD factoring in cyber security into contract awards, it is very important for all DoD contractors to make security a priority. If a DoD audit finds that a contractor is not in compliance, the auditors can issue a stop-work order, which prevents the contractor from carrying out any work on behalf of DoD until they can prove they have put suitable security measures in place. In some extreme cases, the DoD can terminate contracts with contractors who have failed an audit and even bar them from working with the DoD in future.
DoD contractors who need help to comply with DFARS and pass a DoD audit can get in touch with a Managed Security Service Provider (MSSP) who specializes in DFARS/NIST SP 800-171 Compliance Solutions. A compliance consultation from SysArc is free and can help contractors find out whether they are doing enough to keep their Controlled Unclassified Information (CUI) safe.